I am under attack by persistent login attempts to my dropbear sshd.

I modified hosts.allow to be my ip address
hosts.deny to be all: all

Then I tried to connect to ssh using a different ip, and I was able to login. And my /var/log/auth.log just keeps on growing with hacking attempts.



-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

This only works if a daemon is compiled with tcp wrappers. e.g.:
Instead, consider using iptables rules to protect your dropbear service.

Another option is to use the AllowUsers directive with the form user@host. (Does dropbear support that?)

I don't mean to lecture, but you shouldn't be running services that listen to connections from the 'net if you're not sure how to properly secure them. Is turning off dropbear altogether an option?

Hey there,

It's primitive but you can also just test from the command line by running tcpd with sshd as its argument. That'll quickly tell you if you have it compiled correctly or not.

Also, how specific is your hosts.allow? Is it ALL for your IP address or is it split up by service? If it's ALL, your sshd probably doesn't support tcp wrappers. If you're splitting by service, there might be an issue in the file.

Another thing you can try is to use lsof (or a similar program) to determine where sshd is running from. It's a long-shot, but if you have more than one sshd on your system it could be that the wrong one is being protected.

No offense meant, just trying to cover all the angles I can see from scanning over the post.

Best wishes,

Mike

alright, ty for your suggestions. Unfortunately, my server is only accessible remotely, and more unfortunately, I'm the only linux admin that I can afford.

I suspect that dropbear may not support tcp wrappers. But I'm not certain. Anyway, I installed openssh and made it listen to a strange port number. Hopefully, that will keep the hackers guessing until tomorrow. I'll try to figure out firewalls and tcp wrappers ... or die(mysql_pun_intended) trying.

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Is this an embedded Linux system? If not, I don't see any reason not to use openssl instead.

There are some things you can do to secure ssl further.

• disable root logins
• disable password authentication
• use public key authentication
• change the port number
• use "AllowUsers" (which disables all other users & groups)
• Create your key with a good passphrase
• Use a "from=" field in authorized_keys.

A passphrase will help protect your private key. A "from=" option in the server's authorized_keys file will prevent logging in from another location even it the private key is lost.

Have you looked into the links I gave you here?
http://www.linuxquestions.org/questi...0/#post3188110
I did not realize that dropbear does not have a config-file - the options are given when it is started (like on the command-line) - usually it is started from /etc/init.d/...
will tell you more.
You could surely install openssh and replace dropbear by it - but most of it should work just as well.

Was all that not working or not enough? Or just problems configuring dropbear.
Portknocking is another step to make it more difficult for someone to attack or DOS you.

Thanks alot guys, this really helped. I'm no longer getting any spam login attempts. What's more, after I secured sshd, my shell command seemed to work faster too (before this, it took a fraction of a second for anything I type to get through to the terminal. Now it's instantaneous). Cheers!

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.